Add support for SAME target

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2051 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -13,6 +13,8 @@ Changes in 2.2.4
 6) Allow startup options to be overridden in /etc/sysconfig/shorewall
    or /etc/default/shorewall.
 
+7) Add support for SAME
+
 Changes in 2.2.3
 
 1) Added the 'continue' extension script.

Shorewall2/firewall

@@ -3832,7 +3832,14 @@ add_nat_rule() {
 
     # Select target
 
-    if [ -n "$serv" ]; then
+    if [ "$logtarget" = SAME ]; then
+	[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
+	serv1=
+	for srv in $(separate_list $serv); do
+	    serv1="$serv1 --to ${srv}"
+	done
+	target1="SAME $serv1"
+    elif [ -n "$serv" ]; then
 	servport="${servport:+:$servport}"
 	serv1=
 	for srv in $(separate_list $serv); do
@@ -4095,9 +4102,9 @@ add_a_rule()
 	    servport=${servport:=$port}
 	    natrule=Yes
 	    ;;
-	DNAT)
+	DNAT|SAME)
 	    [ -n "$serv" ] || \
-		fatal_error "DNAT rules require a server address; rule: \"$rule\""
+		fatal_error "$logtarget rules require a server address; rule: \"$rule\""
 	    natrule=Yes
 	    ;;
 	LOG)
@@ -4114,7 +4121,7 @@ add_a_rule()
 	    if [ -n "$natrule" ]; then
 		add_nat_rule
 	    elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
-		fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
+		fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
 	    fi
 
 	    if [ -z "$dnat_only" ]; then
@@ -4169,7 +4176,7 @@ add_a_rule()
 
 	[ -n "$addr" ] && fatal_error \
 	    "An ORIGINAL DESTINATION ($addr) is only allowed in" \
-	    " a DNAT or REDIRECT: \"$rule\""
+	    " a DNAT, SAME or REDIRECT: \"$rule\""
 
 	if [ $COMMAND != check ]; then
 	    if [ -n "$loglevel" ]; then
@@ -4319,7 +4326,7 @@ process_rule() # $1 = target
 	CONTINUE)
 	    target=RETURN
 	    ;;
-	DNAT*)
+	DNAT*|SAME*)
 	    target=ACCEPT
 	    address=${address:=detect}
 	    ;;
@@ -4352,8 +4359,13 @@ process_rule() # $1 = target
 	excludezones="${clientzone#*!}"
 	clientzone="${clientzone%!*}"
 
-	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
-	    fatal_error "Exclude list only allowed with DNAT or REDIRECT"
+	case $logtarget in
+	    DNAT|REDIRECT|SAME)
+		;;
+	    *)
+		fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
+		;;
+	esac
     fi
 
     validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@@ -4416,7 +4428,7 @@ process_rule() # $1 = target
     protocol=${protocol:=all}
 
     case $logtarget in
-	DNAT*)
+	DNAT*|SAME)
 	    if [ -n "$XMULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ $(( $(list_count $ports)  + $(list_count1 $(split $ports ) ) ))  -le 16 -a \
@@ -4595,7 +4607,7 @@ process_rules()
 	expandv xtarget
 
 	case "${xtarget%%:*}" in
-	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
+	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
 		do_it
 		;;
 	    *)
@@ -5146,6 +5158,8 @@ setup_masq()
 
 	[ "x$addresses" = x- ] && addresses=
 
+	
+
 	if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
 	    for address in $(separate_list $addresses); do
 		address=${address%:)}
@@ -5292,17 +5306,35 @@ setup_masq()
 	target=MASQUERADE
 
 	if [ -n "$addresses" ]; then
-	    for address in $(separate_list $addresses); do
-		case $address in
-		    *.*.*.*)
-			target=SNAT
-			addrlist="$addrlist --to-source $address"
-			;;
-		    *)
-			addrlist="$addrlist --to-ports ${address#:}"
-			;;
-		esac
-	    done
+	    case "$addresses" in
+		SAME:nodst:*)
+		    target="SAME --nodst"
+		    addresses=${addresses#SAME:nodst:}
+		    for address in $(separate_list $addresses); do
+			addrlist="$addrlist --to $address";
+		    done
+		    ;;
+		SAME:*)
+		    target="SAME"
+		    addresses=${addresses#SAME:}
+		    for address in $(separate_list $addresses); do
+			addrlist="$addrlist --to $address";
+		    done
+		    ;;
+		*)
+		    for address in $(separate_list $addresses); do
+			case $address in
+			    *.*.*.*)
+				target=SNAT
+				addrlist="$addrlist --to-source $address"
+				;;
+			    *)
+				addrlist="$addrlist --to-ports ${address#:}"
+				;;
+			esac
+		    done
+		    ;;
+	    esac
 	fi
 
 	if [ -n "$networks" ]; then

Shorewall2/masq

@@ -86,6 +86,20 @@
 #					192.0.2.4:5000-6000
 #					:4000-5000
 #
+#				You can invoke the SAME target using the 
+#				following in this column:
+#
+#				   SAME:[nodst:]<address-range>[,<address-range>...]
+#
+#				The <address-ranges> may be single addresses. 
+#
+#				SAME works like SNAT with the exception that the
+#				same local IP address is assigned to each connection
+#				from a local address to a given remote address. If
+#				the 'nodst:' option is included, then the same source
+#				address is used for a given internal system regardless
+#				of which remote system is involved.
+#
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.

Shorewall2/releasenotes.txt

@@ -98,6 +98,35 @@ New Features in version 2.2.4
 
       OPTIONS=""
 
+4) Shorewall now has support for the SAME target. This change affects
+   the /etc/shorewall/masq and /etc/shorewall/rules file.
+
+   SAME is useful when you specify multiple target IP addresses (in the
+   ADDRESSES column of /etc/shorewall/masq or in the DEST column of
+   /etc/shorewall/rules). 
+
+   If you use normal SNAT then multiple connections from a given local
+   host to hosts on the internet can be assigned different source IP
+   addresses. This confuses some applications that use multiple
+   connections. To correct this problem, prefix the list of address
+   ranges in the ADDRESS column with "SAME:"
+
+	  Example:   SAME:206.124.146.176-206.124.146.180
+
+   If you want each internal system to use the same IP address from the
+   list regardless of which internet host it is talking to then prefix
+   the rages with "SAME:nodst:".
+
+	  Example:   SAME:nodst:206.124.146.176-206.124.146.180
+   
+   Note that it is not possible to map port numbers when using SAME.
+
+   In the rules file, when multiple connections from an internet host
+   match a SAME rule then all of the connections will be sent to the
+   same internal server. SAME rules are very similar to DNAT rules with
+   the keyword SAME replacing DNAT. As in the masq file, changing the
+   port number is not supported.
+
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3
 

Shorewall2/rules

@@ -42,6 +42,16 @@
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
+#				SAME	 -- Similar to DNAT except that the
+#					    port may not be remapped and when
+#					    multiple server addresses are 
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-    -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-